This is an example setup that puts your authenticated Premium GenesysGo RPC endpoint behind a reverse proxy. This allows you to control where requests to your RPC come from without exposing your RPC's authentication tokens to your frontend users, thus protecting your premium resources.
The token is automatically fetched every 5 minutes and stored in a redis server that the NGINX proxy has access to read from.
There's an example NGINX default.conf in nginx/default.conf. This uses the openresty nginx release that has a Redis LUA module built in.
You will want to update the line set $endpoint "https://us-west-1.genesysgo.net/abc-123-def"; to be your premium RPC's url.
There's a Node.js server in server/ running on a 5 minute interval to update the token that's stored in Redis.
The proxy & redis logic is located within the /rpc location block.
Note that in production, you should only need to update this token once every 24 hours unless you're exposing this token to the public and need to rotate it faster than that.
- Copy
server/.env.exampletoserver/.env - Update
WALLET_KEYto the keypair file's value of the wallet that has access to generate authentication tokens for your Premium RPC. If you don't have this keypair file, you can convert your wallet's private key (exported from your wallet UI) into this format by following what's done in this script: https://gist.github.com/tracy-codes/f17e7ed8acfdd1be442f632f5b80763c - Update
RPC_IDto be the uuid at the end of your RPC's URL. For example, if your RPC's url ends in/abc-123-456then you'd set the value toRPC_ID=abc-123-456
- Run
docker compose upto build the containers and run the infrastructure. - You can now send any of your regular RPC requests to
http://localhost/rpc. There's an example curl request in example-proxy-authenticated-rpc-request.sh
Since this is an example implementation, it's absolutely not 100% intended to use in a production environment yet.
You should:
- Lock down your NGINX proxy to only allow requests from verified resources
- Look into using other proxy solutions that may work for your specific infrastructure
- Add a secondary wallet that's able to generate JWT tokens for your RPCs. This will allow you to use a wallet that has 0 assets and increase your operational security.